The first step of construction is to determine the specific objectives of information security management system construction. The construction of information security management system is a system in which the organization establishes information security policies and objectives in the whole or in a specific scope, and the methods adopted to accomplish these objectives. It includes two parts: information security organization and strategy system, and achieves specific construction goals through information security governance. Information security organization system: refers to the specific organizational structure formed within the organization to realize the policies and objectives of information security, including four parts: decision-making, management, implementation and supervision institutions. Information security policy system: refers to the overall policy framework and norms of information security and the sum of norms, processes and systems of information security management. The strategy system is divided into three levels from top to bottom:
The first-level strategic master plan is the basic system of information security in the group's organization, and no department or personnel in the organization may violate it. This paper expounds the general requirements of information security work. The second-tier technical guidelines and management regulations follow the principle of overall strategy, and formulate more professional requirements, methods and technical means in combination with specific departments, applications and actual conditions. It includes the following two parts: technical guide: putting forward requirements and methods from a technical point of view; Management regulations: focus on organization and management, define responsibilities and requirements, and provide assessment basis. The operation manual, working rules and implementation process of the third layer follow the principles of overall strategy, technical guidance and management regulations, and combine with the actual work, refine the technical guidance and management regulations of the second layer according to the specific system, so as to form an operation manual and workflow that can guide and standardize specific work and ensure the institutionalization and regularization of safety work. The second step of construction is to determine the appropriate information security construction method. The methodology of information security system construction accumulated in information security construction for many years is also called "1-5-4-3-4". That is, using the basic theory of 1 and referring to five standards, three lines of defense are formed around four systems, and finally four goals are achieved. First, the basic theory of risk management The methodology of information system risk management is to establish a unified security system, establish an effective application control mechanism, realize the comprehensive integration of application systems and security systems, form a complete information system process control system, and ensure the efficiency and effectiveness of information systems. Second, follow five relevant domestic and international standards. In the process of establishing the information security system, we completely follow the relevant domestic and international standards: ISO 2700 1 standard, classified protection, classified protection, IT process control management (COBIT), IT process and service management (ITIL/ISO20000). Third, establish four information security guarantee systems: establish information security decision-making, management, implementation and supervision institutions, and clarify all levels. Information security management guarantee system: it is a set of management regulations on information security formed after the standardization and institutionalization of information security organization, operation and technical system. Information security technology guarantee system: Comprehensive use of various mature information security technologies and products to achieve different levels of security functions such as identity authentication, access control, data integrity, data confidentiality and non-repudiation. Information security operation and maintenance guarantee system: under the specification and guidance of information security management system, through safe operation management, standardize operation management, safety monitoring, incident handling, change management and other processes, timely, accurately and quickly deal with security issues, and ensure the stable and reliable operation of business platform system and application system. Fourth, the first line of defense: a complete safety management system and basic safety facilities are composed of management system, organization system and technical support system, which forms the first line of defense for safety signs in advance and lays a good foundation for enterprise operation safety. The second line of defense: technical system and operation and maintenance system constitute the second line of defense to control things. Through careful production scheduling, safety operation and maintenance management, safety monitoring and early warning, potential safety hazards are eliminated in time to ensure the continuous and reliable operation of business systems. The third line of defense: the technical system constitutes the third line of defense for ex post control. In view of all kinds of sudden disasters, a disaster recovery system is established for important information systems, and emergency drills are conducted regularly to form a mechanism of rapid response and rapid recovery, so as to reduce the losses caused by disasters to an acceptable level for the organization. Five, four major security objectives: to protect the confidentiality, integrity and availability of government or enterprise business data and information. System security: ensure the security of government or enterprise network system, host operating system, middleware system, database system and application system. Physical security: the requirement of ensuring the environmental security, equipment security and storage media security related to business and management information system. Operation safety: ensure that all kinds of operations, daily monitoring, changes and maintenance of business and management information systems meet the requirements of standardized operation, and ensure the stable and reliable operation of the system. The third step is to establish a complete process of current situation investigation and risk assessment. In the investigation stage, we should fully understand the actual situation of the government or enterprises, such as organizational structure, business environment, information system processes, etc. Only by understanding the organizational structure and nature of the government or enterprise can we determine the standards followed by the organization's information security system. In addition, we must fully understand the culture of government or enterprise to ensure the integration of management system and related culture, so as to facilitate the later promotion, publicity and implementation. In the investigation, the method of "hypothesis-oriented and fact-based" is adopted, assuming that the government or enterprise meets all the control requirements of the relevant standards, and then collecting information through various ways and means such as manual interviews and questionnaires to prove or falsify that the control measures of the organization meet all the requirements of the standards, and then analyzing the gap by comparing the current situation with the requirements of the standards. In the risk assessment stage, firstly, the risk assessment of information system involves assets, threats, vulnerabilities and other basic elements. Each factor has its own attribute, and the attribute of an asset is its value. The attributes of threats can be threat subject, affected object, frequency of occurrence, motivation, etc. The attribute of vulnerability is the severity of asset weakness. The main contents of risk analysis are: identifying assets and allocating asset value; Identify threats, describe their attributes, and assign values to the frequency of threats; Identify the vulnerability of assets and assign a value to the severity of the vulnerability of specific assets; Judging the possibility of security incidents according to threats and the difficulty of threats using weaknesses; Calculate the loss of security incidents according to the severity of vulnerabilities and the value of assets affected by security incidents; According to the possibility of security incidents and the losses caused by security incidents, the impact of security incidents on the organization, that is, risk value, is calculated. Secondly, the risk assessment of information system process is carried out. According to the survey results of Gartner, an internationally renowned consulting firm, and our confirmation in practice, one of the most effective ways to reduce the failures of information systems is to carry out effective process management. Therefore, IT is necessary to effectively manage IT-related business processes on the basis of ensuring the security of "static assets" to protect the security of "dynamic assets" such as business processes. The fourth step is to design and establish the overall framework of the information security guarantee system. On the basis of full investigation, risk analysis and evaluation, the overall framework of the organization's information security guarantee system is established, covering all aspects of the organization's information security policies, strategies, frameworks, planning, implementation, inspection and improvement, and putting forward clear security objectives and norms for information security construction in the next 3-5 years. The framework design of information security system needs to comprehensively consider the compliance of risk management, laws and regulations of regulatory agencies and relevant domestic and foreign standards after integrating current situation investigation, risk assessment, organizational structure and overall information security planning. In order to ensure the realization of the goal of information security construction and derive the organization's future information security tasks, the overall framework design documents (first-level documents) of the information security guarantee system will include: the overall framework design report of the information security guarantee system; Information security system construction planning report; According to the information security system model, the information security system will be developed from four aspects: security organization, security management, security technology and security operation and maintenance. If we further decompose and refine the four aspects, we will get the secondary documents of the information security guarantee system of the whole government department or enterprise. Specific secondary documents include: information security organization system: organizational structure, roles and responsibilities, education and training, cooperation and communication; Information security management system: information asset management; Human resource security; Physical and environmental safety; Communication and operation management; Access control; Acquisition and maintenance of information system; Business continuity management; Conformity; Information security technology system: technical specifications of physical layer, network layer, system layer, application layer and terminal layer; Information security operation and maintenance system: related working methods, processes and management at the daily operation and maintenance level. Including: incident management, problem management, configuration management, change management, release management and service desk. The fifth step of construction is to design and establish the organizational structure of information security guarantee system. Information security organization system is the guarantee of information security management, to ensure that there are relevant management positions to control the corresponding control points in practical work. According to the overall framework and actual situation of organizational information security, the organizational structure of organizational information security management is determined. Organizational structure of information security: the result of structuring and systematizing various departments responsible for information security decision-making, management, implementation and monitoring. ? Information security roles and responsibilities: mainly define, divide and clarify the roles played by individuals in information security organizations. ? Safety education and training: mainly including safety awareness and cognitive requirements, safety skills training and safety professional education. ? Cooperation and communication: communication and cooperation with superior supervision departments, brothers at the same level, internal units, suppliers, security industry experts and other parties? The sixth step is to design and establish an information security system management system. According to the overall information security framework design, combined with the results of risk assessment and the actual situation of information system construction in this institution, the third-level and fourth-level documents of information security management system are established with reference to relevant standards, including: asset management: implementation specifications and corresponding tables for sensitivity classification and identification of information systems, actual specifications and corresponding tables for classified control of information systems? Human resource security: internal employee information security code, third-party personnel security management code and corresponding forms, confidentiality agreement? Physical and environmental safety: physical safety area division and identification specifications and corresponding forms, computer room safety management specifications and corresponding forms, access control system safety management specifications and corresponding forms? Access control: user access management specifications and corresponding forms, network access control specifications and corresponding forms, operating system access control specifications and corresponding forms, applications and information access specifications; Communication and operation management: network security management specifications and corresponding forms, in; Information system procurement and maintenance: information security project management norms and regulations; Business continuity management: business continuity management process specification and corresponding forms; Compliance: applicable laws and regulations of the industry, tracking management norms and corresponding forms? ; Finally, an integrated information security management system must be formed, which must meet the requirements of the whole group; Operating system access control specifications and corresponding tables, application and information access specifications and corresponding tables, mobile computing and remote access specifications and corresponding tables? Communication and operation management: network security management norms and corresponding tables, Internet service use security management norms and corresponding tables, malicious code prevention norms, storage and mobile media security management norms and corresponding tables? Information system acquisition and maintenance: information security project establishment management specification and corresponding form, software security development management specification and corresponding form, software system vulnerability management specification and corresponding form? Business continuity management: business continuity management process specification and corresponding table, business impact analysis specification and corresponding table? Compliance: applicable laws and regulations of the industry, tracking management norms and corresponding forms? In order to form an integrated information security management system, it is necessary to conform to the strategic objectives, vision, organizational culture and actual situation of the whole organization and make corresponding integration. In the whole implementation process, it is necessary to carry out all-through training, convey the significance of the overall information security system construction to every corner of the organization, and improve the overall information security awareness. Only by combining these aspects can the construction be more effective.